What is URL obfuscation?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email from what looks like your bank. There's a link to "verify your account." The display text says www.yourbank.com, but the actual URL it points to? Something completely different. That gap between what you see and where you land is URL obfuscation in action.
URL obfuscation is when the real destination of a link is hidden or disguised, either to slip past spam filters or to trick you into clicking something you'd never click if you saw the truth. Phishers rely on it heavily, but it also shows up in spam and brand impersonation attacks.
Here's how the most common techniques actually work:
- URL shorteners. A link like
bit.ly/xK7q2tells you absolutely nothing about where it goes. That's the point. Legitimate marketers use shorteners for tracking, but attackers use them to hide malicious destinations entirely. - Percent-encoding. URLs can represent characters with their hex equivalents. The letter "a" becomes
%61. Sopayp%61l.comrenders aspaypal.comin some contexts but resolves to a completely different domain. Filters that scan for the word "paypal" might miss it. - Embedded credentials. A URL can include a username before the
@symbol. Something likelegitimate.com@malicious.comis technically pointing tomalicious.com, but the eye reads it as legitimate first. Easy to miss if you're scanning fast. - Subdomain tricks. The domain
legitimate.com.evil.netlooks like it belongs tolegitimate.comat a glance. It doesn't. The actual registrable domain isevil.net. - Redirect chains. You click a link that first hits a clean domain, which then bounces you through two more redirects before landing somewhere malicious. Each hop is designed to look innocent on its own, so filters that only check the first URL see nothing wrong.
The defense isn't complicated, but it does require slowing down for a second (which is exactly what attackers are counting on you not doing).
If you're a regular email user, hover over any link before you click it. Most email clients show you the real destination at the bottom of the screen. If that URL looks nothing like what the display text says, don't click. For shortened URLs, a tool like checkshorturl.com or simply adding a + to a bit.ly link (like bit.ly/xK7q2+) expands it to show the full destination before you visit.
If you're responsible for email security at an organisation, the more important layer is training people to recognise phishing signals before they ever reach the link. URL obfuscation works because people are moving fast. It doesn't work nearly as well on someone who's been shown what to look for.
And if you're a sender, keep your own links clean. Avoid excessive redirect chains in your emails, use full domains where possible, and don't use URL shorteners in cold outreach. Filters flag them, and readers are increasingly suspicious of them too.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.